Advertisement

Bernstein Bound on WCS is Tight

Repairing Luykx-Preneel Optimal Forgeries
  • Mridul Nandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)

Abstract

In Eurocrypt 2018, Luykx and Preneel described hash-key-recovery and forgery attacks against polynomial hash based Wegman-Carter-Shoup (WCS) authenticators. Their attacks require \(2^{n/2}\) message-tag pairs and recover hash-key with probability about \(1.34\, \times \, 2^{-n}\) where n is the bit-size of the hash-key. Bernstein in Eurocrypt 2005 had provided an upper bound (known as Bernstein bound) of the maximum forgery advantages. The bound says that all adversaries making \(O(2^{n/2})\) queries of WCS can have maximum forgery advantage \(O(2^{-n})\). So, Luykx and Preneel essentially analyze WCS in a range of query complexities where WCS is known to be perfectly secure. Here we revisit the bound and found that WCS remains secure against all adversaries making \(q \ll \sqrt{n} \times 2^{n/2}\) queries. So it would be meaningful to analyze adversaries with beyond birthday bound complexities.

In this paper, we show that the Bernstein bound is tight by describing two attacks (one in the “chosen-plaintext model” and other in the “known-plaintext model”) which recover the hash-key (hence forges) with probability at least Open image in new window based on \(\sqrt{n} \times 2^{n/2}\) message-tag pairs. We also extend the forgery adversary to the Galois Counter Mode (or GCM). More precisely, we recover the hash-key of GCM with probability at least \(\frac{1}{2}\) based on only \(\sqrt{\frac{n}{\ell }} \times 2^{n/2}\) encryption queries, where \(\ell \) is the number of blocks present in encryption queries.

Keywords

WCS authenticator GCM Polynomial hash Universal hash AXU Key-recovery Forgery 

Notes

Acknowledgments

The author would like to thank Anirban Ghatak, Eik List, Subhamoy Maitra, Bart Mennink and anonymous reviewers for their useful comments. The author would also like to thank Atul Luykx for the initial discussion of the paper. This work is supported by R. C. Bose Center for Cryptology and Security.

References

  1. [ABBT15]
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_29CrossRefGoogle Scholar
  2. [AY12]
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38519-3_15CrossRefMATHGoogle Scholar
  3. [BBS86]
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)MathSciNetCrossRefGoogle Scholar
  4. [Ber70]
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)MathSciNetCrossRefGoogle Scholar
  5. [Ber05a]
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_3CrossRefGoogle Scholar
  6. [Ber05b]
    Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_10CrossRefGoogle Scholar
  7. [Ber07]
    Bernstein, D.J.: Polynomial evaluation and message authentication. http://cr.yp.to/papers.html#pema. ID b1ef3f2d385a926123e1517392e20f8c. Citations in this document, 2 (2007)
  8. [BGM04]
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptology ePrint Archive, 2004:309 (2004)Google Scholar
  9. [BHK+99]
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_14CrossRefGoogle Scholar
  10. [BJKS94]
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_28. http://cr.yp.to/bib/entries.html#1994/bierbrauerCrossRefGoogle Scholar
  11. [Bra83]
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 79–86. Springer, Boston, MA (1983).  https://doi.org/10.1007/978-1-4757-0602-4_7CrossRefGoogle Scholar
  12. [BT16]
    Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_10CrossRefMATHGoogle Scholar
  13. [CW79]
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)MathSciNetCrossRefGoogle Scholar
  14. [CZ81]
    Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36(154), 587–592 (1981)MathSciNetCrossRefGoogle Scholar
  15. [dB93]
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–71 (1993). http://cr.yp.to/bib/entries.html#1993/denboerGoogle Scholar
  16. [DR05]
    Daemen, J., Rijmen, V.: Rijndael/AES. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 520–524. Springer, Boston (2005).  https://doi.org/10.1007/0-387-23483-7CrossRefGoogle Scholar
  17. [GMS74]
    Gilbert, E.N., MacWilliams, F.J., Sloane, N.J.A.: Codes which detect deception. Bell Labs Tech. J. 53(3), 405–424 (1974)MathSciNetCrossRefGoogle Scholar
  18. [HK97]
    Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052345CrossRefMATHGoogle Scholar
  19. [HP08]
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_9CrossRefGoogle Scholar
  20. [IOM12a]
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs (2012)Google Scholar
  21. [IOM12b]
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_3CrossRefGoogle Scholar
  22. [Jou]
    Joux, A.: Comments on the draft GCM specification-authentication failures in NIST version of GCMGoogle Scholar
  23. [JTC11]
    JTC1: ISO/IEC 9797–1:2011 information technology - security techniques - message authentication codes (MACs) - part 1: Mechanisms using a block cipher (2011)Google Scholar
  24. [KR87]
    Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. IBM J. Res. Dev. 31, 249–260 (1987). http://cr.yp.to/bib/entries.html#1987/karpMathSciNetCrossRefGoogle Scholar
  25. [Kra94]
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48658-5_15CrossRefGoogle Scholar
  26. [LP18]
    Luykx, A., Preneel, B.: Optimal forgeries against polynomial-based MACs and GCM. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 445–467. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_17CrossRefGoogle Scholar
  27. [LS18]
    Leurent, G., Sibleyras, F.: The missing difference problem, and its applications to counter mode encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 745–770. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78375-8_24CrossRefGoogle Scholar
  28. [MV04]
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30556-9_27CrossRefGoogle Scholar
  29. [MV06]
    McGrew, D., Viega, J.: The use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH. Technical report, May 2006Google Scholar
  30. [Nan14]
    Nandi, M.: On the minimum number of multiplications necessary for universal hash functions. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 489–508. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_25CrossRefGoogle Scholar
  31. [PC15]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptol. 28(4), 769–795 (2015)MathSciNetCrossRefGoogle Scholar
  32. [Pub01]
    NIST FIPS Pub. 197: Advanced encryption standard (AES). Federal information processing standards publication, 197(441):0311 (2001)Google Scholar
  33. [Rab81]
    Rabin, M.O.: Fingerprinting by random polynomials (1981). http://cr.yp.to/bib/entries.html#1981/rabin. Note: Harvard Aiken Computational Laboratory TR-15-81
  34. [Rog95]
    Rogaway, P.: Bucket hashing and its application to fast message authentication. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 29–42. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-44750-4_3CrossRefGoogle Scholar
  35. [Saa12]
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_13CrossRefGoogle Scholar
  36. [SCM08]
    Salowey, J., Choudhury, A., McGrew, D.: AES Galois Counter Mode (GCM) cipher suites for TLS. Technical report, August 2008Google Scholar
  37. [Sho96]
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_24CrossRefGoogle Scholar
  38. [Sti94]
    Stinson, D.R.: Universal hashing and authentication codes. Des. Codes Cryptogr. 4(3), 369–380 (1994)MathSciNetCrossRefGoogle Scholar
  39. [Tay94]
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 40–48. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_4CrossRefGoogle Scholar
  40. [WC81]
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetCrossRefGoogle Scholar
  41. [ZTG13]
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of Galois/Counter Mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Cham (2013).  https://doi.org/10.1007/978-3-319-02937-5_2CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations